The number of DDoS attacks is soaring, according to Akamai’s latest State of the Internet report. But attack characteristics have shifted, as attackers have moved to quick strikes based on rented botnets, and are relying more heavily on reflection attacks that exploit compromised internet services.

Akamai reports that attacks were up a whopping 149% compared to this time last year – though it’s worth noting that the data reflects Akamai’s changing customer base, not all DDoS attacks everywhere.

Last quarter, the average DDoS attack against an Akamai customer clocked in at just under 15 hours, barely half the average length from a year before. And, measured by data volume, there were fewer mega-attacks: only five exceeding 100 Gbit/sec, compared with nine a year before.

Drilling down, Akamai found that the vast majority of DDoS attacks are now launched from stresser/booter-based botnets (such as the one run by Lizard Squad) that bounce traffic off servers that run compromised versions of certain services. These botnets aim to maximize attack bandwidth and intensity, so they deliver larger (but fewer) packets faster.

As Akamai notes:

Sites offering booter/stresser tools are purportedly set up to allow administrators to load test their own sites. However, many of the sites are used as DDoS-for-hire tools, relying on reflection attacks to generate traffic.

Sophos Home

Like so much else these days, these sites are subscription-based; Akamai notes that they usually limit attack length, unlike old-fashioned DDoS attacks that lasted until “the attack was mitigated, the malicious actor gave up, or the botnet was taken down.” Yet another example of how the cloud makes things easy: why build and operate your own botnet if you can just hire someone else’s for long enough to cause havoc?

Who’s getting attacked? Akamai says online gaming companies are the ones that get hammered the hardest, followed by software and tech firms, then finance, internet firms and telecoms (who usually show up as victims because they’re hosting the sites the attackers have decided to target).

Assaults against infrastructure, rather than applications, now account for 97% of all DDoS activity.

Attackers go after the same victims repeatedly: among Akamai customers who suffered DDoS attacks last quarter, the average victim was hit 24 times. Three unfortunate organizations were hit over 100 times; one of them, 188.

A majority of attacks are now multiple-vector, making them even harder to defend. Akamai cited one 17-hour DDoS attack with eight vectors, each needing separate mitigation.

Where are attacks coming from? China’s #1, with 27.6%. Turkey soared past the US and UK to 22% last quarter, thanks to a single massive event.

What’s next? Nothing good, predicts Akamai:

We expect to see more records set for the number of DDoS attacks… driven in large part by the continued use of stresser-booter botnets… There’s little chance of a rapid cleanup of the servers that enable these attacks.

…the number of targets attacked will likely grow incrementally, while the number of attacks will grow by leaps and bounds, leading to large increases in attacks per target.